2.1 The Privacy Act
2.1 The Privacy Act and Health Information Privacy Code
How we confidentially manage patient information is one of the most important aspects of general practice. Protecting the private details of a patient is not just a matter of moral respect, it is essential in retaining the important bond of trust between not only between clinicians and their patients/whānau but also the wider practice team.
|Standard – what we’ll be assessing on
|Evidence to provide for assessment
2.1 The practice understands and implements the current Privacy Act and Health Information Privacy Code.
In general practice, when it comes to health information, The Code applies rules to organisations in the health sector and patients’ have expectations about how their health information will be managed.
The code recognises that people expect their health information:
- to be kept confidential because it was probably collected in a situation of confidence and trust
- to be treated as sensitive because it may include details about body, lifestyle, emotions and behaviour
- may have ongoing use if a piece of medical information becomes clinically relevant even a long time after it was initially collected
- will be used for the purposes for which it was originally collected and they will be told about those purposes.
The Privacy Act 2020
The Privacy Act 2020 controls how ‘agencies’ collect, use, disclose, store and give access to ‘personal information’.
Health Information Privacy Code 2020
The Health Information Privacy Code 2020 sets specific rules for agencies in the health sector. It covers health information collected, used, held and disclosed by health agencies and takes the place of the information privacy principles for the health sector.
Rules of the Health Information Privacy Code
The Health Information Privacy Code has thirteen rules:
- Rules 1, 2, 3 and 4 govern the collection of health information. This includes the reasons why health information may be collected, where it may be collected from and how it is collected.
- Rule 5 governs the way health information is stored. It is designed to protect health information from unauthorised use or disclosure.
- Rule 6 gives individuals the right to access their health information.
- Rule 7 gives individuals the right to correct their health information.
- Rules 8, 9, 10 and 11 place restrictions on how people and organisations can use or disclose health information. These include ensuring information is accurate and up-to-date and is not improperly disclosed.
- Rule 12 governs the disclosure of health information outside of New Zealand.
- Rule 13 governs how ‘unique identifiers’ - such as Inland Revenue Department (IRD) numbers, bank client numbers, driver's licence and passport numbers - can be used.
All team members are to complete current Privacy Act and Code training provided by the Office of the Privacy Commissioner.
The privacy officer is responsible for understanding the Privacy Commission’s guidance and ensuring resources are available for training. Privacy Officers are to complete Privacy 101 and Health 101.
For the remaining team members, the required minimum is Health ABC and Privacy ABC. However, the practice should determine training for the remaining team members relevant to their roles.
If Health ABC and Privacy ABC or Privacy 101 and Health 101 were completed prior to Dec 2020, then team members need to complete the Privacy Act 2020.
Training requirements for Privacy Officers
(and those requiring a higher level of knowledge according to their role)
For other team members
(for example GPs, nurses and admin/reception)
Management of Patient information
General practice ICT security checklist
The ICT security checklist covers the essentials of digital security. This checklist is based on the baseline requirements discussed in the Health Information Security Framework.
Third party access
Patients can approve third party access to records, results, or request/collect prescriptions through clear documentation. Third parties include but are not limited to a family member, spouse, or friend. Discretion may be applied if the patient is incapacitated, cognitively or physically impaired, in difficult social circumstances or a child. Youth records must be reviewed to ensure their confidentiality is maintained.
Video and telephone consultations
Developing a security policy and protecting health information in the practice
Rule 5 of the Health Information Privacy Code 2020 describes reasonable security safeguards to protect health information. This includes keeping the information safe from loss, as well as from unauthorised access, use, modification or disclosure.
The practice must include how they protect the patient’s privacy with photographs, in particular, using a secure device, not retaining photos on devices, submitting photos securely and secure storage within the PMS
To comply with rule 5, the practice needs to consider what risks exists for the health information the practice holds and implement a plan to address those risks.
Security of electronic health information
Most sensitive information in general practice is likely to be stored within the PMS, therefore the electronic PMS must be deployed in an up-to-date, secure and fit-for-purpose IT environment.
Backup and retrieval system
A backup is a copy of some or all files and information stored on a system. The purpose of a backup is to be able to recover all patient information stored in the computer system. Backups need to include the PMS database and other patient information e.g. photos, scanned documents not in the PMS. It may also include other computer files contained on the system e.g. HR records, financial data, emails, business records.
Independent auditing of the electronic data systems and policies
It is important that the practice provides evidence of independent auditing of the electronic data systems and policies. If the practice uses a third-party IT support provider, the provider must be able to provide some independence in terms of audit and identifying information issues. Having a specialist IT provider can help maintain the system and ensure security of the system.
The third-party IT specialist must be external to the practice. This excludes family or friends. The practice must have a contract with the third-party IT provider. The contract can be on an as-needed basis or a retainer.
Impacts on management of heath information in an evolving environment
Elements to consider when developing a process for video/telephone consultations:
- Find your digital platform which has end to end encryption and is endorsed by established health providers who have completed both Privacy Impact Assessment (PIA) and Cloud Risk Assessment (CRA) and easy for patients and providers to use
- Prior to video consult – A phone call from practice team member, such as a nurse to establish whether the consult can be done by video or telephone and ensure the patient understands:
- how to connect with the platform
- to set themselves up in a private room/space
- be aware of anyone able to listen in, especially if on speaker phone or speaker
- having another person or whānau present during the consult is acceptable and to let the provider know.
- they have options, i.e., would the patient prefer a telephone or video consultation? (if applicable)
- that during the consult, the provider may decide they need an ‘In Person” consultation and request they visit the medical centre.
- what the fees are, including if the consultation is split between video/telephone and ‘in person’.
Practices need to:
- Establish how is informed consent obtained and attached to the patients file in the PMS.
- Ensure health providers know to document in the patient notes (PMS) the type of consult undertaken.
- Ensure health providers know to document in notes if patient refuses to come for an ‘In person’ appointment.
- Establish how any test or diagnostic results will communicated
- Ensure providers have training.
Privacy and health information policy
A Privacy and health information policy and procedure must include:
- Adherence to privacy legislation.
- A designated Privacy Officer.
- Training of practice team members according to role.
- Provisions for maintaining privacy in the practice’s physical environment (for example, a radio playing, front desk security, management of patient’s medical notes, etc).
- Adherence to the HIPC.
- A process around how practices collect, use, disclose, store, and give access to personal medical information.
- Keeping the information safe from loss, as well as from unauthorised access, use, modification, or disclosure.
- How patients can approve third party access to records, results, or request/collect prescriptions.
- A process for maintaining patient privacy with video and telephone consultations.
- Digital security - based on the baseline requirements discussed in the Health Information Security Framework.
- Identified areas where risks exist for patients’ health information and a plan to address those risks within the practice.
- Keeping medical information safe from loss.
- A process for managing a privacy breach.
- PMS safeguards (PW/screen savers, privacy screens etc).
- Independent auditing from 3rd party IT technician.
- Back up and retrieval system process.